GAINING THE ADVANTAGE 


Applying Cyber Kill Chain® Methodology to Network Defense 
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THE MODERN DAY ATTACKER 


Cyberattacks aren’t new, but the stakes at every level are higher than ever. Adversaries are more 
sophisticated, well-resourced, trained, and adept at launching skillfully planned intrusion campaigns called 
Advanced Persistent Threats (APT). Our nation’s security and prosperity depend on critical infrastructure. 
Protecting these assets requires a clear understanding of our adversaries, their motivations and strategies. 


Adversaries are intent on the compromise and extraction of data for economic, political 
and national security advancement. Even worse, adversaries have demonstrated 

their willingness to conduct destructive attacks. Their tools and techniques have the 
ability to defeat most common computer network defense mechanisms. 
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THE LOCKHEED MARTIN CYBER KILL CHAIN® 


The Cyber Kill Chain® framework is part of the Intelligence Driven 
Defense® model for the identification and prevention of cyber 
intrusions activity. The model identifies what the adversaries 
must complete in order to achieve their objective. 


Stopping adversaries at any stage breaks the chain of attack! Adversaries 
must completely progress through all phases for success; this puts 

the odds in our favor as we only need to block them at any given one 

for success. Every intrusion is a chance to understand more about 

our adversaries and use their persistence to our advantage. 


The kill chain model is designed in seven steps: 
Defender’s goal: understand the aggressor’s actions 
Understanding is Intelligence 


Intruder succeeds if, and only if, they can proceed through steps 
1-6 and reach the final stage of the Cyber Kill Chain®. 


RECONNAISSANCE Jdentify the Targets 
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ADVERSARY DEFENDER 
The adversaries are in the planning Detecting reconnaissance as it 
phase of their operation. They happens can be very difficult, but 
conduct research to understand when defenders discover recon — even 
which targets will enable them well after the fact — it can reveal 
to meet their objectives. the intent of the adversaries. 

Harvest email addresses Collect website visitor logs for 


: alerting and historical searching. 
Identify employees on 


social media networks Collaborate with web administrators to 


utilize their existing browser analytics. 
Collect press releases, contract 


awards, conference attendee lists Build detections for browsing 


. . : behaviors unique to reconnaissance. 
Discover internet-facing servers 


Prioritize defenses around 
particular technologies or people 
based on recon activity. 


WEAPONIZATION Prepare the Operation 
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ADVERSARY 


The adversaries are in the preparation 
and staging phase of their operation. 
Malware generation is likely not done 
by hand — they use automated tools. 
A “weaponizer” couples malware and 
exploit into a deliverable payload. 


Obtain a weaponizer, either 
in-house or obtain through 
public or private channels 


For file-based exploits, select “decoy” 
document to present to the victim. 


Select backdoor implant and 
appropriate command and control 
infrastructure for operation 


Designate a specific “mission id” 
and embed in the malware 


Compile the backdoor and 
weaponize the payload 
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DEFENDER 


This is an essential phase for defenders 
to understand. Though they cannot 
detect weaponization as it happens, 
they can infer by analyzing malware 
artifacts. Detections against 
weaponiczer artifacts are often the 
most durable & resilient defenses. 


Conduct full malware analysis — 
not just what payload it drops, 
but how it was made. 


Build detections for weaponizers 
— find new campaigns and new 
payloads only because they re- 
used a weaponizer toolkit. 


Analyze timeline of when malware 

was created relative to when it was 
used. Old malware is “malware off 

the shelf” but new malware might 

mean active, tailored operations. 


Collect files and metadata 
for future analysis. 


Determine which weaponizer artifacts 
are common to which APT campaigns. 
Are they widely shared or closely held? 


DELIVERY Launch the Operation 
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ADVERSARY DEFENDER 
The adversaries convey the This is the first and most important 
malware to the target. They have opportunity for defenders to block 
launched their operation. the operation. A key measure 
of effectiveness is the fraction 
Direct against web servers blocked at delivery stage. 


Adversary released delivery: Analyze delivery medium — understand 


Malicious email upstream infrastructure. 
Malware on USB stick Understand targeted servers and 

_ people, their roles and responsibilities, 
Social media interactions what information is available. 
“Watering hole” Infer intent of adversary 
compromised websites based on targeting. 


Leverage weaponizer artifacts to 
detect new malicious payloads 
at the point of Delivery. 


Analyze time of day of when 
operation began. 


Collect email and web logs for 
forensic reconstruction. Even if an 
intrusion is detected late, defenders 
must be able to determine when 
and how delivery began. 


EXPLOITATION Gain Access to Victim 
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ADVERSARY DEFENDER 


The adversaries must exploit a Here traditional hardening 


vulnerability to gain access. The measures add resiliency, but custom 
phrase “zero day” refers to the capabilities are necessary to stop 
exploit code used in just this step. zero-day exploits at this stage. 

Software, hardware, or User awareness training and 

human vulnerability email testing for employees. 

Acquire or develop zero day exploit Secure coding training for 

. : web developers. 
Adversary triggered exploits for 
Opening attachment of 


— : . and penetration testing. 
Victim triggered exploits 


server-based vulnerabilities Regular vulnerability scanning 
Endpoint hardening measures: 
malicious email Restrict admin privileges 
Clicking malicious link Use Microsoft EMET 


Custom endpoint rules to 
block shellcode execution 


Endpoint process auditing to forensically 
determine origin of exploit. 


INSTALLATION Establish Beachhead at the Victim 


eeoececer eee eee eee eres e eee see wee eee eee eee eee eee eee eee eee eee eee eres eee eee ees 


ADVERSARY DEFENDER 

Typically, the adversaries install a Endpoint instrumentation to 
persistent backdoor or implant in the detect and log installation activity. 
victim environment to maintain access Analyze installation phase during 
for an extended period of time. malware analysis to create 


new endpoint mitigations. 
Install webshell on web server 
Install backdoor/implant on client victim puis ag alert or block on common 
installation paths, e.g. RECYCLER. 
Create point of persistence by adding 


services, AutoRun keys, etc. Understand if malware requires 


administrator privileges or only user. 
Some adversaries “time stomp” the file 
to make malware appear it is part of 
the standard operating system install. 


Endpoint process auditing to 
discover abnormal file creations. 


Extract certificates of any 
signed executables. 


Understand compile time of malware 
to determine if it is old or new. 
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ADVERSARY DEFENDER 

Malware opens a command The defender’s last best chance to 
channel to enable the adversary to block the operation: by blocking 
remotely manipulate the victim. the C2 channel. If adversaries 


can’t issue commands, defenders 
Open two way communications can prevent impact. 
channel to C2 infrastructure 


Most common C2 channels are over Discover C2 infrastructure 
web, DNS, and email protocols thorough malware analysis. 
C2 infrastructure may be adversary Harden network: 


owned or another victim network itself : 
Consolidate number of 


internet points of presence 


Require proxies for all types 
of traffic (HTTP, DNS) 


Customize blocks of C2 
protocols on web proxies. 


Proxy category blocks, including 
“none” or “uncategorized” domains. 


DNS sink holing and name 
server poisoning. 


Conduct open source research 
to discover new adversary 
C2 infrastructure. 


ACTIONS ON OBJECTIVES Achieve the Mission’s Goal 
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ADVERSARY 


With hands-on keyboard access, 
intruders accomplish the mission’s 
goal. What happens next depends 
on who is on the keyboard. 


Collect user credentials 

Privilege escalation 

Internal reconnaissance 

Lateral movement through environment 
Collect and exfiltrate data 

Destroy systems 

Overwrite or corrupt data 


Surreptitiously modify data 
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DEFENDER 


The longer an adversary has CKC7 
access, the greater the impact. 
Defenders must detect this stage as 
quickly as possible by using forensic 
evidence — including network packet 
captures, for damage assessment. 


Establish incident response playbook, 
including executive engagement 
and communications plan. 


Detect data exfiltration, lateral 
movement, unauthorized 
credential usage. 


Immediate analyst response 
to all CKC7 alerts. 


Forensic agents pre-deployed to 
endpoints for rapid triage. 


Network package capture 
to recreate activity. 


Conduct damage assessment 
with subject matter experts. 


ANALYSIS: Identifying Patterns 


Analysis of multiple intrusion kill chains over time draws attention to 
similarities and overlapping indicators. Defenders learn to recognize and define 
intrusion campaigns and understand the intruder’s mission objectives. 


Identify patterns: what are they looking for, why are they targeting me? 


This will help identify how to best protect yourself from the next attack. 
You can’t get ahead of the threat unless you understand the campaign. 


RECONSTRUCTION: Prevent Future Attacks 


Cyber Kill Chain® analysis guides understanding of what information is, and may be, available 
for defensive courses of action. Stay focused on your threat landscape with vigilance. 


RESILIENCE: Defend against Advanced Persistent Threats 


The antidote to APT is a resilient defense. Measure the effectiveness of your 


countermeasures against the threats. Be agile to adapt your defenses faster than the threats. 


Defenders must always analyze 
backward to understand earlier steps 
in the kill chain. The threats will 
come back again. Learn how they 
got in and block it for the future. 


Blocked intrusions are equally 
important to analyze in depth to 
understand how the intrusion 
would have progressed. 


Measure effectiveness of your defenses 
if it progressed. Deploy mitigations 
to build resilience for tomorrow. 


JUST ONE MITIGATION BREAKS THE GHAIN 


The defender has the advantage with the Cyber Kill Chain® solution. 
All seven steps must be successful for a cyber attack to occur. 


The defender has seven opportunities to break the chain. 


Look for patterns to 


strengthen your defense 
C 0 N C L [] S | 0 N @ Improve your organizational 
~ \, structure and response 
Defenders CAN have the advantage: Y x Know your potential threat 
Better communicate and mitigate risks @ » aie surfaces, even the old ones 
NW 
Build true resilience Vy 
Meaningfully measure results CN 
Getting Started: Remember there is no such thing as secure, only defendable. gp is: : & 
Start by thinking differently when you make changes to your \ 
processes, investments, metrics, communications with your ‘ CN 
team and leadership, staffing models, and architectures. \ 
re 
Know your threats...it’s not just about network defense anymore. it’s © — 
about defending much more like your platforms and mobile users. Vi 
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